Half Baked IoT Stove Could Be Used As A Remote Controlled Arson Device

[Pen Test Partners] have found some really scary vulnerabilities in AGA range cookers. They are connected by SMS by which a mobile app sends an unauthenticated SMS to the AGA to give it commands for instance preheat the oven, You can also just tell your AGA to turn everything on at once.

The problem is with the web interface; it allows an attacker to check if a user’s cell phone is already registered, allowing for a slow but effective enumeration attack. Once the attacker finds a registered device, all they need to do is send an SMS, as messages are not authenticated by the cooker, neither is the SIM card set up to send the messages validated when registered.

This is quite disturbing, What if someone left a tea towel on the hob or some other flammable material before leaving for work, only to come back to a pile of ashes? This is a six-gazillion BTU stove and oven, after all. It just seems the more connected we are in this digital age the more we end up vulnerable to attacks, companies seem too busy trying to push their products out the door to do simple security checks.

Before disclosing the vulnerability, [Pen Test Partners] tried to contact AGA through Twitter and ended up being blocked. They phoned around trying to get in contact with someone who even knew what IoT or security meant. This took some time but finally they managed to get through to someone from the technical support. Hopefully AGA will roll out some updates soon. The company’s reluctance to do something about this security issue does highlight how sometimes disclosure may not be enough.

37 thoughts on “Half Baked IoT Stove Could Be Used As A Remote Controlled Arson Device”

Aga ovens are generally on 100% of the time (there are models that burn gas, oil and coal as well as using electricity – my grandparents had a coal one and had to fill it daily). The default mode is “full on”. They work by being huge lumps of cast iron, which holds heat well, so the electric version essentially just pumps enough heat into the metal to overcome the environmental losses, and losses to the cold things you put in/on it to warm up. They take a day or more to warm up from cold.

Generally, the concept of remote control is when you have a holiday home in the country, and want to turn the aga on a day or so before you’re there, so it’s then hot enough to cook with when you arrive. If it’s turned on by a hacker, you just get a big electricity bill, not a pile of ashes.

The oven itself wouldn’t be a problem; it’s the burners on top of it. If somebody left a pot of food on there, an attacker could switch it on until the burner and leave it on until any water boils away and the food catches on fire.

There are no burners on it. It’s a lump of iron. You open up an insulated “hob cover” and put the things you want to heat on top of it – no naked flames, the heat comes from the big bit of iron.

Believe me, cooking christmas dinner on one of these is artful in heat management. You need to get the really hot things done first, because the whole thing will be cooling down as it heats other things up. Roast potatoes first, and by the end you’ll hopefully have enough heat left to boil the sprouts.

(you never leave the covers – the shiny things you can see on the top – open when you’re out, because it’d just all end up cold. Generally you do cover the whole thing in stuff you want to be warm/hot, like your washing, towels, cats, etc)

Yup, fuckton of iron plus lots of insulation, that’s the Aga formula. Well, it was in the 1940s. Now it’s middle-class pretension plus idyllic dreams of an age that never was. Nobody who actually needs to cook would buy one. You’d just use the microwave instead.

Aga do make conventional “range” cookers too. Their whole market is people who value asthetics over anything else, they can’t miss out the market of shallow people who like the look but do not like the hassle of running on oil (or having a seperate oven for the summer).

I wasn’t familiar with Aga stoves, but the screen shot showed a control interface for a stove with a conventional range top. Being able to take unauthorized control over those remotely would be a massive risk.

Was gonna comment the same:
Not a risk,
Though a compartmentalized one for switching off the chambers that you’ll not find yourself ever using often, like say once a year maybe(I have seen one such unit by Hotpoint I think the brand was) may be at risk of overloading the mains cable of an old Victorian era cottage with old undersized cabling.
This is why circuit-breakers and fuses exist, to save the cable before the equipment and not the equipment as the cabling is (Was) what is (Was) expected to be the likely cause of a fire, though the safety standards nowadays with house wiring over-engineering means faulty equipment is at several magnitudes greater risk of causing fire than a shorted melted mains cable, though both still risk a lost abode!!!
Just not the Victorian-era-storage-heater-cooker-style cooker auto-starting from the other side of the planet.

That’s amazingly wasteful. I’m sure they have reasonable insulation but there must still be a few kWh making your house hot (and presumably yet more kWh running an always-on aircon to cool your house down).

My grandfather had a wood fired stove like that, I thought they were a relic of a bygone era.

Back then, in the UK, houses were very draughty and coal was cheap. Nobody had central heating, you had a coal fire in the living room and that’s that. A housewife cleaning the house would wear a coat. Or just be cold. We spent a lot of time being cold in Britain, til not so long ago.

So having a range cooker taking the edge off was quite nice. And they have formidable insulation, they’re also quite airtight, you control the heat by opening vents. With them all closed and the doors closed, and the insulators over the hot plates on top, they’d be warm but not hot to the touch.

I wasn’t a housewife in the 1950s, but my nana had a range cooker up til the 80s, and hated her husband for it, the tight old get. I’m pretty sure they were fairly economical. They were designed to be always-on, gently warm. Since to start one up you’d have to clean it out first. And I’ve no idea how you’d actually stop the fire.

Now think about millions of cloud controlled IOT stoves and what would happen if someone hacked the cloud servers and turned all the cookers on at once. This could burn down many houses and even bring the grid down if enough load was turned on at once. The key is not to control IOT devices from the cloud but directly, point to point, from your controller (e.g. smartphone) over the Internet using decent security. MQTT using TLS is quite good for security if set up properly. Then a hacker would have to break into each house individually, not such a tempting proposition. Of course, all the money is going into centralized cloud based solutions as the businesses are “digging for gold” where the gold is your data. Such systems are not resilient. The Internet of Things has to be open, with full interoperability between devices (not “Islands of Things”) and intelligence must be distributed under control of the users if it is to achieve its promise without handing a huge amount of data and hence power to those who control the central cloud. I am slowly building such a distributed “cloud free” environment for my own use and will be making the details freely available as the project progresses.

If you geolocated each target and turned them on and off in waves you may be able to set up all sorts of load resonances in the grid that would cause problems as there is a finite spin-up time for the power generation systems that manage base load.

Yet another IoT-FAIL and yet another company that has no clue on what to do when a white-hat tells them they might have a problem. At least they didn’t threaten the guy with legal action – yet.
Nothing new here…

That’s a waste of Time, Having a IOT cooking device is absurd in the first place, I can understand AC but not items you would setup and use then clean and close, I do like the start timer on the washing machine though.

Pretty much agree, I had a DIY internet connected remote control setup in the 90s, the only truly useful thing was to start the AC before we got home, the rest was bugging my wife with flashing the lights or turning on music or audio clips. I still think about an irrigation system for a garden with soil moisture sensors but for now I just have the small patch running on the output of the washing machine(some green soap) and hoping for good results when we are away.

It’d be a really easy way of striking at the bourgeoisie, just write a script that iterates through every Aga it can find, and blows the kitchen up. You could set it off running on some cloud somewhere.

Having worked in LAN / WAN and then Web Server security – let me tell you some things about it.

First – what others in the industry will tell you –
——————————
There is no such thing as security. It’s just a rewards ‘v’ effort thing. If the rewards are big enough then some hacker will put the effort in to find some security vulnerability.
——————————

The is both right and wrong at the same time. It’s right when applied to web servers to a very large degree but it’s only right because of the security model that is always utilized on web servers and that is because of the security model of the operating system.

In a nutshell the security model is a “Black List”. Some coder has to code in all the things that hackers are not allowed to do, in the hope of capturing all those things that can be adverse to the server of client.

The best compensation for this is to code an Application Programming Interface (API). Which is more or less a White List of all the things that are allowed. This is often burred deep behind several layers of web servers for reason I will explain.

When you drop this White List API on a web sever, you are in fact dropping it on an operating system that has the Black List security model so hackers will just hack the operating system and gain access that way. The common solution is to have the web interface on one server and the API on an undisclosed server hidden behind the web interface. Often several layers deep.

So in the above security model you have a web server running in a Black List connecting to an application server using a White List that is on top of a operating system that is using a Black List where that Black List is hidden by a security model called “Security by Obfuscation”. The latter being one of the poorest security models.

Another thing about the Black List security model. What do you “black List”? Well you Black List all the things hackers have used successfully in the past because you don’t how that are going to succeed in the future but when they do, you add that to the black list as well. OR in other words – the “Black List” security is ironically dependent on hackers succeeding so that it can be improved upon – and this is precisely why black listing is a failure as a security model. That very same security model is utilized in all of the common operating systems (OS) because of the evolution of those OS’s. You cannot ADD a white list to an OS. A white list has to be there from the start but you can add a black list to an existing OS.

With IoT we have a simple OS *and* TCP/IP. Now TCP/IP *is* one of the most secure and tested security models if you exclude it’s vulnerability to be utilized for DOS / DDOS / DRDOS attacks that cause a denial of service rather than a theft of or manipulation of data.

So why all this rant. Well, we are at a point where we can create / choose / write / code a brand new OS for simple devices that is “right from the start” based on a “White List” security model and I want to get that our there in places like this where real coders / programmers are.

It can be done and it’s not as hard as you might expect. I have coded a system that sends telemetry (data acquisition) from an explosive environment that has soft flesh humans around in it. Please don’t imagine the consequences of that system being hacked but rather understand that it can be done and that it is very important that it is done. But most of all please understand that the opportunity to do this is NOW.

Software-wise you are indicating towards “coding by contract”. You might want to have a look at programming languages like Ada, Eiffel and Erlang. C or C++ are definitely not fit for the job.
You are very right, the web-interface is always vulnerable and the API has to define what can be done. And for anything handling serious power in any form (heat, radiation, mechanical movement) some electromechanical interlocking is probably the way to go.
Have a look at the door-switches of a microwave oven, there are usually two of them, one that is closed when the door is open shorting the magnetron’s power supply and one that is open when the door is open connecting the power supply to the magnetron. This is usually done in a similar manner for commercial heating systems (> 100kW), at least two relays to engage the burner, one n.o., one n.c. both with a second set of contacts that are read back. So, the aforementioned oven should have a thermo-switch that gets tripped when the surface gets dangerously hot and shuts the whole thing down. BTW, it most likely does.
IMO, it is a blatant lie to communicate that IoT can be made secure by software measures only. At one point or another they will hack your home-automation system and send any commands they want to your devices or update their firmware. Then it is the devices’ hardware which prevents your house from burning down, being flooded, or being heated to 50C killing your pets.
Just my two Euro-cents…

Great points. An IoT microwave oven isn’t gonna microwave if the door is open. (Unless the designers are complete morons.) And hopefully “clean oven mode” cannot be activated remotely on any IoT oven/stove/range.

I still wouldn’t buy it though. Didn’t we all learn something from ‘smart’ LEDs, ‘smart’ refrigerators, ‘smart’ thermostats, and the web-enabled cameras crippling the internet on several occasions?

Or some decision maker (aka management) decides ‘No one will ever do that’ or another classic response “That’ll never happen’ as justification to skip/by-pass one or more “best-practices”. Please don’t try and say this never happens or happens only in movies. While it may not be the norm and is the exception the fact is it DOES happen and will continue to happen so long as those in power at these companies have little to no fear of repercussions for taking short cuts.

There’s a lot of hate for Aga here. They’ve been oversold to “lifestyle” customers, unfortunately. It’s true they go through a *LOT* of energy, whether oil, electric, or gas. I don’t own an Aga, but I do own a wood-burning Rayburn (the Aga’s “little brother”).

Pros: It cooks (bread, pizza, and roasts to die for, and the lower oven takes care of slow-cook needs), It heats the house (I don’t need any other heating), and it has a water jacket, so it takes care of the hot water, too. It has a hot water loop running to the bathroom, so I’ve also got a hot towel rail. It’s also nice to come home and split some firewood, after a day spent looking at computer screens (I’m serious – it’s quite the de-stresser). It needs little maintenance – clean the chimney once/year, new grate about once in 5 years, and new firebricks about every 10 years.

Cons: it’s a hungry beast – 24×7 for nine months of the year, but I’m growing my own firewood, so the cost is low. The house is very hot during summer (no air-con, a disadvantage of off-grid PV+batteries), so I only do a “burn” every 3 days to keep the water hot. Other days I have to cook on a gas burner. They’re costly to buy, but you’ll never need another one.

Oh, one more for the “pros” – IT DOESN’T HAVE A SINGLE PIECE OF ELECTRONICS IN IT! Try hacking my stove, you script-kiddies!

I think Aga made a big mistake to push their products to people who don’t have a valid use. They’re no good in a house or kitchen that isn’t designed for them – they can be very good in a limited set of circumstances, but I suppose if you don’t keep expanding your market, your business will fail. That’s the trouble with technology like this – big, dumb blocks of iron never need replacing, so you can’t keep selling a new one to the same people every few years – you have to find new people to sell your products to, and IoT seems to be a selling point for certain types who might otherwise never buy your product. “Use your smartphone to turn on the Aga in your country house the day before you arrive, and you can open the door to a warm welcome and a stove that’s ready to cook your dinner.”

I’m not surprised they were silent on the security issue, they’ve kind of battened down the hatches after coming under fire for the amount of energy they use, especially the electric models.

“disclosure may not be enough” it may take the security researchers to tun black hat and commit arson and burn someones house and then commit postal theft and steal the insurance check and forgery and sign and cash the check to get the manufacturer’s attention.

Just searched Wikipedia for ‘AGA cooker’, and ‘hob’. I want one! (…while they’re still available…)

This is a good example of how the IoT can, and probably will, kill off a company which has been selling great product for almost ninety years. And all because of a rush to embrace new technology without understanding the ramifications.